• Latest
  • Trending
Microsoft informs customers of ‘NotLegit’ Azure bug

Microsoft informs customers of ‘NotLegit’ Azure bug

December 24, 2021
Inaugural AfCFTA Conference on Women and Youth in Trade

Inaugural AfCFTA Conference on Women and Youth in Trade

September 6, 2022
Instagram fined €405m over children’s data privacy

Instagram fined €405m over children’s data privacy

September 6, 2022
8 Most Common Causes of a Data Breach

5.7bn data entries found exposed on Chinese VPN

August 18, 2022
Fibre optic interconnection linking Cameroon and Congo now operational

Fibre optic interconnection linking Cameroon and Congo now operational

July 15, 2022
Ericsson and MTN Rwandacell Discuss their Long-Term Partnership

Ericsson and MTN Rwandacell Discuss their Long-Term Partnership

July 15, 2022
Airtel Africa Purchases $42M Worth of Additional Spectrum

Airtel Africa Purchases $42M Worth of Additional Spectrum

July 15, 2022
Huawei steps up drive for Kenyan talent

Huawei steps up drive for Kenyan talent

July 15, 2022
TSMC predicts Q3 revenue boost thanks to increased iPhone 13 demand

TSMC predicts Q3 revenue boost thanks to increased iPhone 13 demand

July 15, 2022
Facebook to allow up to five profiles tied to one account

Facebook to allow up to five profiles tied to one account

July 15, 2022
Top 10 apps built and managed in Ghana

Top 10 apps built and managed in Ghana

July 15, 2022
MTN Group to Host the 2nd Edition of the MoMo API Hackathon

MTN Group to Host the 2nd Edition of the MoMo API Hackathon

July 15, 2022
KIOXIA Introduce JEDEC XFM Removable Storage with PCIe/NVMe Spec

KIOXIA Introduce JEDEC XFM Removable Storage with PCIe/NVMe Spec

July 15, 2022
  • Consumer Watch
  • Kids Page
  • Directory
  • Events
  • Reviews
Wednesday, 8 February, 2023
  • Login
itechnewsonline.com
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion
Subscription
Advertise
No Result
View All Result
itechnewsonline.com
No Result
View All Result

Microsoft informs customers of ‘NotLegit’ Azure bug

Cloud security company Wiz discovered the bug back in October.

by ITECHNEWS
December 24, 2021
in Leading Stories, Tech
0 0
0
Microsoft informs customers of ‘NotLegit’ Azure bug

Microsoft’s Security Response Center has released a blog post explaining its response to the “NotLegit” bug in Azure that was discovered by cloud security company Wiz.

Wiz said all PHP, Node, Ruby, and Python applications that were deployed using “Local Git” on a clean default application in Azure App Service since September 2017 are affected. They added that all PHP, Node, Ruby, and Python applications that were deployed in Azure App Service from September 2017 onward using any Git source — after a file was created or modified in the application container — were also affected.

YOU MAY ALSO LIKE

Inaugural AfCFTA Conference on Women and Youth in Trade

Instagram fined €405m over children’s data privacy

Microsoft clarified in their response that the issue affects App Service Linux customers who deployed applications using Local Git after files were created or modified in the content root directory. They explained that this happens “because the system attempts to preserve the currently deployed files as part of repository contents, and activates what is referred to as in-place deployments by deployment engine (Kudu).”

“The images used for PHP runtime were configured to serve all static content in the content root folder. After this issue was brought to our attention, we updated all PHP images to disallow serving the .git folder as static content as a defense in depth measure,” Microsoft explained.

They noted that not all users of Local Git were impacted by the vulnerability and that the Azure App Service Windows was not affected.

Microsoft has notified the customers that are affected by the problem, including those that were impacted due to the activation of in-place deployment and those who had the .git folder uploaded to the content directory. The company also updated its Security Recommendations document with an additional section on securing source code. It also updated the documentation for in-place deployments.

The Wiz Research Team said on Tuesday that it first notified Microsoft of the issue on October 7 and worked with the company through the month to address it. The fix was deployed in November, and customers were notified by December. Wiz was paid a bug bounty of $7,500.

Microsoft did not say if the vulnerability has been exploited, but Wiz said “NotLegit” is “extremely easy, common, and is actively being exploited.”

“To assess the chance of exposure with the issue we found, we deployed a vulnerable Azure App Service application, linked it to an unused domain, and waited patiently to see if anyone tried to reach the .git files. Within 4 days of deploying, we were not surprised to see multiple requests for the .git folder from unknown actors,” the researchers explained.

“Small groups of customers are still potentially exposed and should take certain user actions to protect their applications, as detailed in several email alerts Microsoft issued between the 7th – 15th of December, 2021.”

The Wiz Research Team noted that accidentally exposing the Git folder through user error is a security issue that has impacted organizations like the United Nations and a number of Indian government sites.

Vectra CTO Oliver Tavakoli said the impact of the vulnerability will be highly variable. Accessing the source code underlying an application (and possibly other files which might have been left in the same directory) may provide information that could be leveraged for other attacks, Tavakoli said.

“The fact that the researchers set up what amounts to a honeypot and saw the vulnerability exploited in the wild is of particular concern, as it means that the vulnerability was not a well-kept secret,” Tavakoli explained.

JupiterOne field security director Jasmine Henry told ZDNet that leaked source code puts an organization in an incredibly vulnerable position to threat actors, who can instantly steal intellectual property or launch an exploit tailored to unique weaknesses in the source code.

“The NotLegit vulnerability is especially eye-opening, since it highlights the growing security risk caused by privileged accounts and services, even in the absence of developer error,” Henry said.

Source: Jonathan Greig
Via: ZDNet
Tags: Azure bugMicrosoftNotLegit
ShareTweetShare
Plugin Install : Subscribe Push Notification need OneSignal plugin to be installed.

Search

No Result
View All Result

Recent News

Inaugural AfCFTA Conference on Women and Youth in Trade

Inaugural AfCFTA Conference on Women and Youth in Trade

September 6, 2022
Instagram fined €405m over children’s data privacy

Instagram fined €405m over children’s data privacy

September 6, 2022
8 Most Common Causes of a Data Breach

5.7bn data entries found exposed on Chinese VPN

August 18, 2022

About What We Do

itechnewsonline.com

We bring you the best Premium Tech News.

Recent News With Image

Inaugural AfCFTA Conference on Women and Youth in Trade

Inaugural AfCFTA Conference on Women and Youth in Trade

September 6, 2022
Instagram fined €405m over children’s data privacy

Instagram fined €405m over children’s data privacy

September 6, 2022

Recent News

  • Inaugural AfCFTA Conference on Women and Youth in Trade September 6, 2022
  • Instagram fined €405m over children’s data privacy September 6, 2022
  • 5.7bn data entries found exposed on Chinese VPN August 18, 2022
  • Fibre optic interconnection linking Cameroon and Congo now operational July 15, 2022
  • Home
  • InfoSec
  • Opinion
  • Africa Tech
  • Data Storage

© 2021-2022 iTechNewsOnline.Com - Powered by BackUPDataSystems

No Result
View All Result
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion

© 2021-2022 iTechNewsOnline.Com - Powered by BackUPDataSystems

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
Go to mobile version